Deploying Mobility Securely

1
Deploying Mobility Securely
2
The Risks

• Its just my calendar!
• Theft and loss
• Personal device ownership
• Malicious software
• Cracking and hacking

3
Attack surfaces
1. Secure the device
2. Secure the data
3. Secure the communications
4
Security Practises

• Perform Risk Assessment
• Establish Policy for
• Authentication
• Encrypted Connectivity
• Encrypted Data
• Anti-Virus
• Execution Control
• Automate enforcement
• Recovery

5
1. Authentication

• Device Password
• Network/Internet Access
• Certificates

6
Device Password - Microsoft

• 4-digit PIN (Pocket PC)
• Strong password (Pocket PC SmartPhone)
• gt4 digit PIN (Smartphone)
• Exponential delay with incorrect password
• Password protected ActiveSync partnership

7
Device Password OEM
HP iPAQ 5400 Series
Fingerprint reader
8
Device Password 3rd Party

• Picture sequence
• Tells a story
• Easy to remember
• Picture order changes
• Avoid pattern recognition
• Balances screen scratches
• Short and long sequence
• Quick access short PIN
• Incorrect PIN reverts to long PIN

Pointsec Software
9
Device Password 3rd Party

• Password Replacement
• Secures PDA access
• Uses secret sign biometric
• Sandia Laboratories Tested
• Scenarios
• Information warfare
• Homeland defense
• HIPPA compliance
• Enterprise security

Crypto-Sign TM
10
Network/Internet Access

• NTLM Authentication
• Challenge Handshake Authentication Protocol (CHAP
  and MS-CHAP versions 1 and 2)
• Password Authentication Protocol (PAP)

11
Certificates

• Support for x.509 certificates
• Can authenticate users, operators, and servers
• Securely stored, managed and deleted on the device

12
2. Encrypted Connectivity

• VPN protocol support
• PPTP and IPSec/L2TP
• Encryption for secure web sites
• 128 bit SSL
• WTLS class 2
• Encryption for LAN connectivity
• VPN
• 802.1x EAP-TLS and PEAP

13
3. Data Protection

• Limit the data to just what is needed.
• Data resident on storage cards
• Cryptographic services for applications are
  built-in (Crypto API v2)
• SQL-CE provides 128-bit encryption (PPC only)
• Data thats never on the device can never be
  lost.
• Web-based applications
• Terminal Services

14
4. Anti-Virus Software

• Built-in APIs for Anti-virus solutions
• Computer Associates
• F-Secure
• McAfee
• SOFTWIN
• Personal Firewall
• Bluefire Security Technologies
• Check Point VPN-1 SecureClient

15
5. Execution Control

• Smartphone now - Pocket PC in future release.
• Based on application signing and protects in two
  ways
• Installation
• Execution
• Modes of operation
• All apps allowed
• Prompt user when un-signed app is trying to
  install or execute
• Only signed applications (chaining to a trusted
  root certificate) are allowed
• Can revoke applications
• By author (revoke a signing cert)
• By executable (revoke a hash)
• Windows Mobile Mobile-2-Market program
• Run registered applications as unprivileged

16
Automated Enforcement

• Odyssey Software
• Policy management facility that limits which
  applications a user can access at specific time
  periods of the day
• Trust Digital LLC
• PDASecure Policy Editor provides centralized
  management to push security policies to all your
  PDA users
• Symbol Technologies, Inc.
• Policy management facility that limits which
  applications a user can access

17
Recovery

• Replacement devices
• Backup file
• Data on PC
• Data on network server
• Restore process on secure web server

18
Summary of Windows Mobile Security Features

• Perimeter protection
• Device lock PIN, Strong, exponential delay
• Authentication protocols PAP, CHAP, MS-CHAP,
  NTLM, TLS
• Data protection
• 128-bit Cryptographic services CAPIv2
• Code signing (Smartphone only)
• Anti-virus API
• Network protection
• OTA device management security
• Secure Browsing HTTP (SSL), WAP (WTLS)
• Virtual Private Networking (PPTP, L2TP IPSec)
• Wireless network protection (WEP, 802.1x, WPA)

19
3rd Party Solution Providers

• Signature authentication
• Certicom Corporation
• Communication Intelligence Corporation
• TSI/Crypto-Sign
• VASCO
• Enhanced password protection
• Hewlett-Packard
• Pictograph authentication
• Pointsec Mobile Technologies
• Fingerprint authentication
• Biocentric Solutions Inc.
• HP iPAQ 5400
• Card-based authentication
• RSA Security
• Schlumberger Sema
• Certificate Authentication on a Storage Card
• JGUI
• Software Storage Encryption
• F-Secure

• Encrypt Application Data
• Certicom Corporation
• Glück Kanja Group
• Ntru Cryptosystems, Inc.
• Virtual Private Networking
• Certicom Corporation
• Check Point Software Technologies Ltd.
• Columbitech
• Entrust, Inc.
• Epiphan Consulting Inc.
• Disable Applications
• Trust Digital LLC
• Device Wipe
• Asynchrony.com
• Public Key Infrastructure (PKI)
• Certicom Corporation
• Diversinet Corp.
• Dreamsecurity Co., Ltd.
• Glück Kanja Group

20
(No Transcript)
21
References

• Windows Mobile Security White paper
• http//www.microsoft.com/windowsmobile/resources/w
  hitepapers/security.mspx
• Security Product Solutions
• http//www.microsoft.com/windowsmobile/information
  /businesssolutions/security/secsearch.aspx

22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
Headline Text